AIR  WAR  COLLEGE 


AIR  UNIVERSITY 

RESISTANCE  IS  NOT  EUTILE: 
THE  CASE  AGAINST  A 
CYBER  ARMS  TREATY 

by 

Kristine  M.  Rogers,  CIV,  USA 

A  Research  Report  Submitted  to  the  Eaculty 
In  Partial  Eulfillment  of  the  Graduation  Requirements 

Updated  17  October  2010 


Distribution  A:  Approved  for  public  release;  distribution  unlimited 


DISCLAIMER 


The  views  expressed  in  this  academic  research  paper  are  those  of  the  author  and  do  not  reflect 
the  official  policy  or  position  of  the  US  government  or  the  Department  of  Defense.  In  accordance 
with  Air  Force  Instruction  51-303,  it  is  not  copyrighted,  but  is  the  property  of  the  United  States 
government. 


Contents 


Disclaimer . i 

Contents . ii 

Biography . iii 

Introduction . 1 

Actors  in  Cyberspace . 2 

State-level  actors . 2 

Non-state  actors . 3 

Weapons  in  Cyberspace . 4 

Cyber  Weapons:  Direct  Access  Not  Required . 5 

Cyber  Weapons:  Direct  Access  Required . 6 

Computer  Network  Exploitation  Tools:  A  Complicating  Factor . 6 

Perishability  of  Cyber  Tools . 8 

The  Role  of  Forensics  and  Attribution . 9 

Goals  of  Arms  Control . 9 

Criteria  for  Success . 10 

Tactical  Factors  for  Successful  Treaty  Implementation . 10 

Insight . 10 

Measurability . 11 

Verifiability . 12 

Strategic  Factors  for  Successful  Treaty  Implementation . 13 

Strategic  Reduction  of  Capability  and  Threat . 13 

Benefits  of  a  Cyber  Arms  Treaty . 14 

Costs  of  a  cyber  arms  treaty . 15 

Future  Directions . 15 

Conclusion . 17 

Bibliography . 18 


End  Notes 


20 


Biography 


Kristine  Rogers  earned  her  B.A.  in  International  Studies  (Law  and  Diplomacy  emphasis, 
minors  in  Arabic  and  Modern  Near  East  Studies)  from  Brigham  Young  University,  and  her  M.S. 
in  Computer  Science  (Computer  Security  and  Information  Assurance  emphasis)  from  the  George 
Washington  University.  In  2002,  she  began  working  as  an  analyst  for  the  US  Government. 

Since  that  time  she  has  served  in  a  variety  of  analytic  and  leadership  roles. 


Introduction 


An  inherently  flexible  medium,  cyberspace  is  controlled  more  by  market  forces  and 

popular  trends  than  by  formal  regulation  attempts.  Cyberspace  is  a  medium  so  integrated  with 

modem  life  that  in  a  growing  number  of  countries  it  serves  as  a  foundation  for  many 

capabilities — including  critical  infrastructures.  Given  the  lack  of  security  built  into  the 

framework  of  the  Internet,  it  is  no  surprise  that  highly  connected  nation  states — those  with  a 

heavy  reliance  on  cyber  integrated  into  their  critical  infrastructures — fear  cyber  weapons.  As  a 

result,  nation  states  desire  to  impose  limits  on  development  of  cyber  weapons.  Since  the  late 

12 

1990s,  some  states  have  lobbied  for  an  international  cyber  arms  treaty. 

This  paper  sets  out  to  demonstrate  why  an  international  cyber  arms  treaty  is  unrealistic 

option  for  regulating  cyber  attack  capabilities — in  particular,  nation  state-level  cyber  weapons. 

International  cyber  cooperation  on  the  issue  of  cyber  arms  is  important;  however,  a  cyber  arms 

control  treaty  would  provide  only  limited  benefit  to  treaty  participants.  This  paper  evaluates  the 

viability  of  a  cyber  arms  treaty  based  on  its  ability  to  satisfy  tactical  and  strategic  factors  that 

would  be  prerequisites  for  successful  implementation.  On  the  tactical  side,  participants  must 

agree  to  provide  others  with  insight  into  their  capabilities,  the  weapons  regulated  by  the  treaty 

should  be  measurable,  and  the  treaty’s  terms  must  be  verifiable.  The  primary  strategic 

consideration  is  that  the  arms  treaty  should  result  in  limit  or  reduction  of  the  overall  number  of 
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cyber  arms,  thus  creating  a  more  secure  or  stable  situation. 

A  cyber  arms  treaty  would  be  ineffective  due  in  particular  to  the  lack  of  a  consistent 
terminology  relating  to  cyber  weapons  and  the  indistinct  lines  between  computer  network  attack 
and  computer  network  exploitation  capabilities.  Nation  states  can  easily  conceal  cyber  attack 
capabilities  in  the  gray  area  between  computer  network  attack  and  computer  network 


1 


exploitation  tools.  Given  the  lack  of  international  laws  regulating  intelligence  gathering,  it  is 
unlikely  that  computer  network  exploitation  capabilities — which  primarily  provide  intelligence 
benefits — would  be  regulated  in  a  treaty."^ 

Unfortunately,  a  cyber  arms  treaty  has  little  hope  of  either  tactical  or  strategic  success. 
The  only  realistic  benefit  might  be  intelligence  gathering  on  other  nations’  capabilities;  however, 
even  that  is  of  limited  utility  due  to  the  ease  with  which  states  could  reveal  only  those 
capabilities  that  they  want  other  states  to  see — thus  creating  an  opportunity  for  a  deception 
campaign.  This  paper  also  notes  how  a  cyber  arms  treaty  could  actually  initiate  a  cyber  arms 
race,  instead  of  promoting  disarmament. 

Actors  in  Cyberspace 

Cyberspace  contains  a  complex  mix  of  participants,  in  which  the  divisions  between  state 
actions — those  that  might  fall  under  a  cyber  arms  treaty — and  non-state  actions  state — ones  that 
may  fall  under  a  cyber  crimes  treaty  rather  than  a  cyber  arms  treaty — are  blurry  at  best.  Unlike 
nuclear  and  other  types  of  arms  development,  cyber  arms  have  a  low  barrier  to  entry.  It  is 
difficult  to  compare  cyber  warfare  with  other  forms  of  warfare,  which  have  a  significantly 
smaller  number  and  range  of  actors. Governments  have  little  or  no  control  over  non-state 
actors  in  the  cyber  realm,  who  can  get  involved  in  production  and  distribution  of  cyber  arms  at 
little  or  no  cost. 

State-level  actors 

State-level  actors  range  from  senior  policymakers  to  intelligence  to  civilian  organizations 
to  military  organizations.  It  is  these  organizations’  activities  that  may  be  regulated  under  a  cyber 
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arms  treaty.  However,  even  this  is  not  straightforward.  As  will  be  discussed  later,  the  difficulty 
in  distinguishing  between  computer  network  attack  and  computer  network  exploitation 
capabilities  means  that  interested  parties  include — at  the  very  least — military  and  intelligence 
organizations,  who  may  disagree  about  the  purpose  of  cyber  arms.  Another  potential 
complicating  factor  is  the  potential  for  state  sponsored  cyber  mercenaries — organizations  that  are 
not  formally  part  of  the  government,  but  which  act  in  accordance  with  government  strategic 

70 

direction. 

While  highly  connected  nation  states  may  be  the  largest  targets  of  cyber  weapons,  they 
would  not  be  the  only  states  targeted  for  cyber  arms  regulation.  Nation  states  with  less  military 
capability  recognize  an  asymmetric  opportunity  in  the  cyber  world.  ^ 

Non-state  actors 

Even  though  this  paper  focuses  primarily  on  state-level  actors,  it  is  important  to  note  the 
role  that  non-state  actors  play  in  complicating  the  domain.  The  category  of  non-state  actors 
includes  two  general  groups:  non-state  actors  with  hostile  intent,  and  non-state  actors  with 
business  motivations.  While  some  hostile  non-state  actors  have  financial  activities,  the 
distinguishing  factors  between  the  two  categories  is  the  extent  to  which  the  group  follows  laws, 
and  their  intent  to  cause  damage.  Hostile  non-state  actors  might  include  malicious  hacker 
organizations  and  terrorist  groups. Non-state  actors  with  business  motivations  include  private 
sector  businesses,  including  those  companies  that  support  the  Internet  infrastructure,  and  general 
Internet  users.  Unfortunately,  even  in  the  case  of  non-state  actors  who  follow  laws,  their 

I  ^ 

technological  direction  is  set  more  by  the  market  than  by  the  desires  of  governments. 
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Malicious  and  financially-motivated  non-state  actors  may  or  may  not  be  controlled  by  their  local 


governments. 


Weapons  in  Cyberspace 

Are  cyber  weapons  as  dangerous  as  conventional  weapons  of  mass  destruction?  The  first 
order  effects  of  cyber  weapons  do  not  match  the  death  and  destruction  that  can  be  caused  by 
nuclear,  biological,  and  other  weapons.  As  a  result,  aside  from  requirements  for  near-real  time 
forensics  and  attribution,  the  issue  of  cyber  weapons  regulation  is  significantly  different  than 
with  other  forms  of  warfare.  At  present,  states  do  not  acknowledge  their  computer  network 
attack  capabilities  openly.  Unlike  nuclear  and  other  weapons  of  mass  destruction,  this  makes 
deterrence  and  coercion  difficult,  because  you  cannot  tell  the  extent  to  which  you  should  fear 
another  state’s  capabilities. Also,  the  rapid  pace  of  development  in  cyberspace  makes  it 
difficult  to  regulate  tools.  Today’s  tools  may  be  obsolete  or  non-functional  tomorrow. 

For  sake  of  simplicity,  this  paper  refers  both  to  computer  network  attack  and  exploitation 
tools  as  “cyber  arms”  or  “cyber  weapons.”  Cyber  weapons  include  software-  or  hardware-based 
tools  for  destroying,  disrupting,  degrading,  or  denying  access  to  systems.  In  particular,  cyber 
arms  are  those  tools  which,  when  used  intentionally  by  state-level  actors,  create  effects  that  the 
opponent  would  view  as  an  act  of  war  in  cyberspace.  This  may  include  both  software  that  causes 
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the  effect,  or  it  could  include  hardware  implants  that  cause  an  impact  to  software. 

Discussions  of  cyber  tools  and  weapons  are  often  divided  into  two  camps:  discussion  of 
the  tools  and  their  capabilities,  or  discussion  of  tools’  intended  effects.  Both  descriptions  have 
limitations,  in  particular  because  many  tools  can  be  used  for  multiple  purposes,  and  do  not  neatly 
fit  into  either  capability-  or  effects-based  categories.  Much  literature  also  discusses  the 
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differences  between  tools  designed  for  the  purpose  of  computer  network  attack  (damaging  or 
destroying  data  or  systems),  as  opposed  to  tools  whose  purpose  is  computer  network  exploitation 
(subverting  systems  for  the  purpose  of  gathering  information).  Unfortunately,  even  that  model  is 
incomplete,  as  many  tools  used  for  computer  network  exploitation  could  also  be  used  as  a 
vehicle  for  launching  attacks.'^ 

For  the  purpose  of  this  discussion,  cyber  weapons  will  be  divided  into  two  categories: 

tools  that  do  not  require  the  victim’s  machine  to  result  in  a  desired  effect,  and  tools  that  do 

require  direct  access  to  a  victim’s  machine.  This  paper  focuses  more  on  tools  requiring  access, 

because,  as  discussed  later,  tools  that  do  not  require  direct  access  can  be  worked  around,  and  the 

20 

targets  can  be  said  to  fall  under  the  Law  of  Armed  Conflict. 

Cyber  Weapons:  Direct  Access  Not  Required 

The  first  category  of  cyber  weapons  includes  those  technologies  that  can  cause  effects 
without  an  attacker  having  direct  access  to  an  adversary’s  computer  systems.  In  general,  these 
tools  can  be  thought  of  as  the  less  precise  munitions  of  the  Internet.  Denial  of  service 
weapons — designed  to  overwhelm  computers  or  networks  to  prevent  them  from  receiving  and 
transmitting  information — are  a  widely  publicized  version  of  this  attack.  There  may  be  some 
possibility  of  categorizing  and  regulating  these  tools’  tactical  use  on  the  battlefield  for  jamming 
and  related  purposes.  However,  the  effects  for  which  these  tools  are  widely  known — attacks 
against  commercial  systems  to  cause  financial  and  other  damage — may  be  of  limited  benefit  to 
the  attacker,  due  to  the  potential  for  cross-border  spillover.  For  example,  an  attack  on  a  US 
critical  infrastructure  could  impact  financial  markets  worldwide — including  the  state  that 
launched  the  attack.  Also,  while  these  types  of  attacks  cause  temporary  damage,  eventually 
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administrators  can  create  workarounds  to  reestablish  access.  Other  tools  in  this  category  include 
“man  in  the  middle”  attacks  (altering  data  mid-stream),  and  some  viruses  and  worms,  which  rely 
on  users’  own  actions  to  spread  the  malicious  code. 

Cyber  Weapons:  Direct  Access  Required 

The  category  of  cyber  weapons  requiring  direct  access  to  an  adversary’s  computers 
focuses  on  more  targeted  cyber  attacks.  This  category  is  affected  by  the  blurred  border  between 
computer  network  exploitation  and  computer  network  attack  tools.  Historically,  intelligence 
activities — under  which  computer  network  exploitation  can  be  categorized — have  not  been 
bound  by  international  treaties.  This  issue  spills  into  that  of  computer  network  attack 

capabilities.  Cyber  tools  that  require  “breaking  and  entry”  can  fairly  easily  be  asserted  to  have 
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intelligence  gathering  capabilities,  which  would  not  be  regulated  under  international  law. 

Cyber  arms  that  require  direct  access  to  a  machine  or  system  must  have  a  delivery 
system.  While  this  may  sound  like  an  obvious  statement,  upon  further  review  it  demonstrates 
some  of  the  complexity  that  would  have  to  be  overcome  prior  to  the  establishment  of  a  cyber 
arms  treaty.  More  specifically,  attack  tools  that  require  direct  access  and  exploitation  tools  may 
share  some  functional  capabilities,  as  well  as  delivery  mechanisms. 

Computer  Network  Exploitation  Tools:  A  Complicating  Factor 

Effective  direct-access  computer  network  attack  tools  may  require  the  same  level  of 
privilege  as  computer  network  exploitation  tools.  In  other  words,  the  same  tool  that  is  used  to 
infect  and  gather  information  from  one  machine  could  also  be  used  to  launch  an  attack.  This 
ambiguous  line  between  computer  network  attack  and  computer  network  exploitation  tools 
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makes  it  difficult  to  regulate  cyber  weapons  in  a  consistent  and  reliable  way.  This  idea  can  be 
explored  by  focusing  on  the  idea  of  a  system  administration  tool.  This  is  a  relevant  analogy  in 
particular  because  some  Trojan  Horse  software — commonly  considered  malicious  software — is 
also  marketed  as  an  inexpensive  tool  for  managing  computers  across  a  network.  If  the  software 
provides  a  remote  user  with  the  right  level  of  access,  he  or  she  can  either  modify  or  monitor  the 
network. 

As  with  system  administration  tools,  as  long  as  a  cyber  weapon  has  the  right  system 
access,  the  user  can  perform  functions  that  could  be  categorized  either  as  “attacks”  or  as 
“exploitation.”  If  he  or  she  intentionally  causes  a  machine  to  fail,  for  example,  this  action  might 
be  considered  an  attack.  If  he  copies  and  exports  a  specific  file,  that  could  be  considered  an 
exploitation  activity.  If,  however,  the  exploitation  activity  also  caused  a  machine  to  fail,  from 
the  vantage  point  of  the  victim  it  might  be  considered  an  attack.  Forensics  may  later  identify 
what  happened,  but  it  would  not  necessarily  reveal  the  intent.  Perhaps  this  is  why  some  nation 
states  have  indicated  that  they  equate  any  cyber  break-in  activities  as  the  equivalent  of  an  “act  of 
war”  in  cyberspace. 

Because  nation  state  espionage  activities  do  not  fall  under  any  international  treaties,  no 
higher  body  regulates  what  is  and  is  not  acceptable  in  information  gathering.  Even  the  DoD 
Joint  Publication  3-13  refers  to  computer  network  exploitation  as  an  accepted  Information 
Operations  capability.  Countries  have  an  interest  in  gathering  information  from  adversaries 
and  competitors.  With  the  worldwide  reach  that  the  Internet  offers,  the  Internet  becomes  a 
channel  for  gathering  intelligence.  This  becomes  more  complicated,  as  states  have  an  interest  or 
incentive  in  maintaining  their  computer  network  exploitation  capabilities.  Where  those 
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capabilities  overlap  with  attack  capabilities,  they  will  likely  categorize  the  tool  in  the  category 
not  open  to  treaty  verification. 

Perishability  of  Cyber  Tools 

Another  factor  that  separates  cyber  tools  from  kinetic  weapons  is  their  perishability. 
Whereas  defenses  against  nuclear  or  biological  weapons  may  be  difficult  to  develop,  many  cyber 
weapons  can  be  identified  and  patched  quickly.  Thus,  revealing  a  capability  to  a  competitor  or 
adversary  could  provides  them  with  an  ability  to  detect  and  protect  against  it,  thus  obviating  the 
need  to  have  developed  the  capability  in  the  first  place.  In  addition  to  patching  the  now- 
disclosed  vulnerability,  they  could  develop  active  defense  mechanisms  to  attack  their  attacker — 
which  may  be  considered  an  offensive  form  of  defense. 

As  indicated  earlier,  one  of  the  few  possible  benefits  of  a  cyber  arms  treaty  would  be 
intelligence-related:  gaining  an  understanding  of  the  capabilities  that  states  have  developed  in  the 
cyber  world.  Given  the  current  lack  of  transparency  in  cyber  weapons  development,  it  is 
reasonable  that  a  state  could  learn  about  a  capability  something  that  they  have  not  tried 
themselves.  In  addition  to  protecting  against  it,  they  could  add  it  to  their  own  research  and 
development  efforts.  Given  the  lack  of  common  terminology,  they  could  mix  in  exploitation 
capabilities,  and  it  becomes  out  of  the  scope  of  the  terms  of  the  treaty.  This  is  a  natural  behavior 

27 

in  cyberspace  research  and  development:  building  on  ideas  observed  elsewhere. 

In  both  the  case  of  active  defense  and  integration  of  an  observed  capability  into  new 
research  and  development,  it  is  realistic  that  monitoring  of  a  treaty  could  itself  lead  to  a  cyber 
tools  arms  race.  Nuclear  and  chemical  weapons  do  not  have  a  comparable  overlap;  “dual  use” 
may  apply  to  weapons  parts,  but  generally  not  to  the  finished  weapon. 
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The  Role  of  Forensics  and  Attribution 

Attribution  of  cyber  activities — and  in  particular,  states’  unwillingness  to  acknowledge 
their  computer  exploitation  capabilities  and  activities — would  be  a  significant  barrier  to 
implementing  a  treaty.  The  difficulty  of  identifying  perpetrators  provides  plausible  deniability, 
which  state  actors  would  not  necessarily  want  to  renounce.  First,  governments  do  not  want  to 
acknowledge  engagement  in  activities  that  are  considered  illegal.  Not  only  is  there  the  potential 
for  negative  public  opinion,  but  it  could  also  imply  to  adversaries  that  they  consent  to  reciprocal 
actions  at  the  same  level.  Finally,  revealing  or  acknowledging  cyber  capabilities  allows  an 
adversary  to  identify  techniques  and  protect  against  them.  However,  even  if  a  source  is 
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uncovered,  it  does  not  always  reveal  the  intent  behind  the  action. 

Goals  of  Arms  Control 

Arms  control  treaties  are  intended  to  regulate  the  development  and  proliferation  of 
extremely  dangerous  weapons.  The  end  goal  of  an  arms  control  agreement  is  an  improved 
security  situation,  whether  regionally  or  internationally.  The  agreement  should  reduce  the  risk  of 
war,  reduce  the  cost  of  preparing  for  war,  and  reduce  the  amount  of  damage  caused  should  war 
occur.  However,  some  modem  theorists  believe  that  controls  over  the  most  dangerous 
weapons — much  less  cyber  weapons — are  obsolete  in  today’s  world.  Instead,  they  argue  that 
arms  should  be  controlled  in  other  ways,  such  as  by  strategy  and  the  use  of  instruments  of  power 
(diplomatic,  informational,  military,  economic,  and  cultural  initiatives).  In  the  case  of 
cyberspace,  this  is  not  possible  because  there  is  no  single  source  of  control  over  actors  providing 
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Internet  governance.  What  would  be  the  incentive  for  these  actors  to  reveal  the  full  range  of 
their  cyber  capabilities? 


Criteria  for  Success 

In  order  to  have  a  cyber  arms  control  treaty  that  has  some  hope  of  success,  a  number  of 
tactical  and  strategic  factors  must  be  satisfied  under  the  treaty — including  insight,  measurability, 
verifiability,  and  improvements  in  international  security.  A  key  assumption  is  that  the  treaty 
would  not  give  up  a  significant  amount  of  sovereignty,  in  order  to  maintain  some  hope  of  being 
ratified.  If  one  or  more  of  these  factors  is  not  possible,  the  utility  of  attempting  to  create  the 
treaty  should  be  in  question. 

Tactical  Factors  for  Successful  Treaty  Implementation 

On  the  tactical  side,  the  parties  to  the  treaty  must  allow  other  members  to  have  insight 
into  their  efforts,  the  technology  should  be  measurable,  and  the  terms  of  the  treaty  should  be 
verifiable. 

Insight 

This  tactical  factor  relates  to  states’  willingness  to  reveal  their  technological  capabilities 
relating  to  the  regulated  technology  to  an  arms  control  monitoring  organizations.  If  the  states 
involved  in  the  treaty  are  unwilling  to  open  up  their  research  and  design  programs  for  on-  or  off¬ 
site  inspection,  it  is  unlikely  that  a  treaty  will  succeed. 

It  may  be  possible  to  have  limited  success  in  convincing  states  to  reveal  cyber  capabilities 
to  other  states.  By  providing  some  insight  into  their  activities,  they  would  benefit  by  gaining  an 
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understanding  of  other  countries’  cyber  capabilities.  This  will  allow  participants  to  create 
defenses  against  other  states’  capabilities.  On  the  negative  side,  participants  would  likely 
construct  the  definition  of  “cyber  arms”  so  as  to  reveal  limited  capabilities,  but  mask  other 
efforts  in  areas  that  they  can  justify  as  being  outside  the  bounds  of  the  treaty.  This  allows  such 
activities  as  computer  network  exploitation  to  continue.  Additionally,  such  insight  into  state 
level  actions  does  not  imply  comparable  knowledge  of  corporate  activities. 

Measurability 

Once  parties  to  the  treaty  are  willing  to  reveal  their  capabilities,  the  parties  to  the  treaty 
and  the  inspection  team  should  have  a  clear  and  consistent  understanding  of  the  weapon  and  its 
capabilities.  They  should  be  able  to  quantify  numbers  of  weapons  in  a  state’s  possession,  and 
have  some  method  for  comparing  one  state’s  capabilities  to  another.  This  sounds  intuitively 
obvious,  but  in  the  cyber  world  it  is  complex.  It  is  not  fast  or  cheap  to  duplicate  a  nuclear 
weapon;  it  is,  however,  inexpensive  and  simple  to  duplicate  a  piece  of  software  designed  to 
launch  an  attack.  Nuclear  weapons  or  pathogens  are  generally  easier  to  define  and  quantify  than 
software.  If  the  regulated  arms  are  too  narrowly  defined,  this  could  encourage  participant  states 
to  make  token  revelations,  without  revealing  other — ^perhaps  more  destructive — capabilities. 

Once  parties  to  the  treaty  are  willing  to  reveal  their  capabilities,  it  is  important  to  have  an 
inspection  team  with  an  understanding  of  the  weapon’s  capabilities.  They  should  be  able  to 
quantify  numbers  of  weapons  in  possession,  and  have  some  method  for  comparing  one  state’s 
capabilities  to  another.  Unfortunately,  agreeing  on  how  to  measure  capabilities  and  on  a 
definition  for  measuring  a  reduction  in  cyber  “stockpiles”  is  difficult.  How  does  a  state  “disarm” 
when  copying  or  archiving  parts  of  a  cyber  armory  is  cheap  and  easy? 
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As  described  above,  the  blurry  lines  between  computer  network  attack  and  computer 
network  exploitation  tools  leads  to  the  potential  for  token  revelations  that  either  reveal 
capabilities  that  no  longer  work,  or  that  deceive  other  participants  about  their  true  capabilities. 
Scoping  the  terms  of  the  treaty  to  exclude  tools  with  computer  network  exploitation  capabilities 
could  have  the  unintended  impact  of  encouraging  states  to  give  the  appearance  of  compliance, 
while  continuing  development  of  attack  capabilities.^^  Unfortunately,  it  is  unlikely  that 
exploitation  capabilities  would  be  regulated  under  such  a  treaty;  this  means  the  gap  will 
continue. 

Verifiability 

In  order  for  the  treaty  to  succeed,  treaty  verification  must  be  plausible.  This  not  only 
requires  openness  and  disclosure  among  parties  to  the  treaty,  but  also  requires  an  understanding 
of  current  and  future  technologies — specifically,  a  monitoring  organization  containing  technical 
experts  who  are  qualified  to  evaluate  capabilities,  and  compare  compliance  among  countries. 
They  should  also  possess  the  ability  to  assess  whether  parties  may  be  cheating,  or  withholding 
capabilities. 

The  question  of  what  would  be  verified  under  a  cyber  arms  treaty  is  also  complicated. 
Does  verification  include  software  tools  only,  or  hardware?  Would  the  process  include  a 
demonstration  of  the  software,  or  a  full  review  of  program  source  code?  Is  it  only  disclosure  of 
the  attack  tool,  or  does  it  include  the  delivery  mechanism?  The  latter  is  significantly  impacted 
by  the  gray  area  between  computer  network  attack  and  exploitation  capabilities,  because  attack 
and  exploitation  tools  could  use  the  same  delivery  mechanisms. 
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Given  the  rapid  pace  of  changes  within  the  cyberspace  domain,  treaty  verification  would 
require  an  extremely  agile  monitoring  capability.  Considering  how  quickly  computer  technology 
changes,  protecting  against  today’s  threats  would  be  unlikely  to  prevent  development  of  future 
capabilities.  Additionally,  without  reliable  attribution,  it  can  be  extremely  difficult  to  identify 
which  state-level  actors — if  any — violated  the  terms  of  the  treaty.  If  state-level  actors  cannot 
effectively  be  distinguished  from  non-state  actors,  it  would  be  difficult  to  evaluate  compliance; 
non-state  Internet  activities  could  be  indistinguishable  from  state-sponsored  activities. 

Strategic  Factors  for  Successful  Treaty  Implementation 

The  arms  treaty  should  demonstrate  a  net  benefit  to  participants,  vice  simply  a 
relinquishing  of  capability,  in  order  to  maintain  some  hope  of  approval  from  individual  state 
governments.  This  means  the  treaty  must  not  require  participants  to  give  up  significant  amounts 
of  sovereignty."^'^  Without  reliable  insight,  measurability,  and  verifiability,  it  would  be  difficult 
to  convince  a  government  to  approve  the  terms  of  a  treaty.  States  would  be  unlikely  to  become 
party  to  the  treaty  if  the  treaty  terms  leave  significant  room  for  cheating,  or  could  result  in  a 
negative  end  state — for  instance,  an  arms  race  rather  than  arms  control. 

Strategic  Reduction  of  Capability  and  Threat 

Over  time,  treaty  compliance  should  result  in  a  quantifiable  reduction  in  the  regulated 
weapons  technology,  which  will  produce  a  more  secure  and  stable  international  security 
environment.  Parties  should  maintain  sufficient  capability  to  maintain  a  sense  of  security,  but 
the  overall  international  threat  diminishes."^'  Unfortunately,  a  cyber  arms  treaty  would  likely  not 
lead  to  any  significant  change.  Parties  to  the  treaty  would  probably  continue  to  engage  in 
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development  of  dual  use  technologies — specifically,  computer  network  exploitation  tools  with 
computer  network  attack  capabilities,  or  potential  for  such  capabilities.  Over  time,  the  treaty 
would  not  result  in  a  reduction  of  cyber  threats  even  at  the  state  level,  much  less  over  non-state 
actors. 

In  theory,  monitoring  is  not  about  intelligence  gathering.  However,  participants  cannot 
discount  the  possibility  that  participants  report  back  to  intelligence  services.  As  described 
earlier,  when  states  reveal  their  cyber  capabilities  during  the  verification  process,  they  could 
unintentionally  be  providing  others  with  ideas  about  how  to  expand  programs.  In  fact,  the 
likelihood  of  a  cyber  arms  treaty  providing  security  and  disarmament  is  so  low  that  it  may  even 
be  more  likely  that  such  a  treaty  would  start  vice  prevent  a  cyber  arms  race. 

The  very  notion  of  cyber  disarmament  is  problematic  in  a  world  where  copying  files  is 
very  simple.  What  qualifies  as  disarmament?  Provision  of  patches  against  states’  capabilities? 
Or  is  it  deletion  of  files?  If  the  file  is  deleted,  how  do  you  prove  the  file  is  gone?  An  actor  could 
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easily  modify  a  file  slightly  before  using  it  again. 

Benefits  of  a  Cyber  Arms  Treaty 

Despite  the  fact  that  a  cyber  security  treaty  would  likely  be  ineffective,  some  states 
support  the  notion  of  a  treaty.  What,  then,  could  a  state  gain  from  a  cyber  arms  treaty?  The 
primary  benefit  of  a  cyber  arms  treaty  would  be  intelligence,  not  security.  It  would  allow  states 
to  understand  other  states’  capabilities,  and  gauge  overall  sophistication  levels.  Through  this 
insight,  states  would  be  able  to  design  defenses  and  countermeasures  against  those  tools  revealed 
by  the  other  parties  to  the  treaty — though,  as  emphasized  above,  these  capabilities  may  not 
represent  the  state’s  actual  range  of  abilities.  Through  this  understanding  of  others’  capabilities, 
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states  may  be  able  to  assess  whether  they  have  a  relative  advantage,  and  possibly  be  able  to  use 
their  capability  to  deter  or  coerce.  Finally,  participation  in  such  a  treaty  creates  opportunities  for 
states  to  run  information  operations  against  one  another,  misleading  other  states  into  believing 
their  capabilities  are  at  a  different  level. 

Costs  of  a  cyber  arms  treaty 

On  the  other  hand,  revealing  cyber  capabilities — even  if  not  a  full  disclosure — quickly 
leads  to  a  loss  of  the  disclosed  capabilities.  This  is  much  more  extreme  than  with  the  types  of 
treaties  to  which  cyber  arms  have  been  compared.  In  cyberspace,  the  cycle  of  identifying  a 
vulnerability,  creating  an  exploit,  discovering  the  exploit,  and  patching  against  the  exploit  can  be 
very  fast.  Another  potential  cost  is  the  fact  that  there  would  be  no  guarantee  that  the  other 
participants  have  shared  the  breadth  of  their  capabilities;  in  fact,  the  dual  nature  of  computer 
network  exploitation  and  attack  tools  would  make  it  simple  to  limit  participation  to  token 
revelations.  Finally,  because  the  technology  changes  rapidly,  participants  may  be  able  to 
regulate  some  of  today’s  weapons,  but  not  tomorrow’s  weapons.  It  would  be  difficult  to 
categorize  cyber  weapons  in  broad  enough  terms  that  a  treaty  developed  today  remains  relevant 
tomorrow. 

Future  Directions 

At  present,  many  obstacles  would  have  to  be  removed  in  order  to  create  a  situation  in 
which  a  cyber  arms  treaty  could  be  considered  viable.  First,  the  international  community  would 
need  to  agree  upon  a  common  terminology  for  warfare  in  cyberspace.  This  would  include  an 
internationally  accepted  and  enforceable  definition  of  cyber  weapons,  agreement  on  thresholds 
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defining  acts  of  war  in  cyberspace — for  instance,  what  would  be  seen  as  an  act  that  could  justify 
a  kinetic  retaliation — and  agreement  on  whether  civilian  or  non-state  actions,  which  may  or  may 
not  be  state  sponsored,  can  be  interpreted  as  acts  of  war.  States  also  would  have  to  agree  to  show 
their  capabilities  before  can  even  come  to  the  table  to  create  a  cyber  arms  treaty. 

Second,  both  technical  and  political  progress  would  have  to  be  made  on  the  topic  of 
attribution.  Victims  require  technical  means  to  identify  when  a  cyber  attack  has  occurred.  Then, 
the  victim  needs  a  technical  ability  for  determining  where  the  attack  originated — which  can  be  an 
extremely  difficult  task.  States  that  launched  the  attack  would  have  to  be  willing  to  admit 
responsibility  for  the  attack  as  appropriate. 

Third,  a  cyber  arms  regulatory  agency  would  have  to  be  established.  Such  an 
organization  would  not  fit  neatly  into  existing  Internet  organizations,  which  focus  on  commercial 
and  technological  development  priorities.  It  may  be  possible  to  create  a  new  organization  under 
an  internationally  accepted  body,  such  as  the  United  Nations. 

As  an  alternative  to  regulating  weapons  under  a  cyber  arms  treaty,  it  may  be  more 
worthwhile  to  create  an  international  agreement  on  categories  of  acceptable  cyber  targets.  This 
would  not,  however,  be  a  treaty — rather,  the  Law  of  Armed  Conflict  already  applies  to  this 
discussion.  One  potentially  effective  international  discussion  would  be  mapping  cyber  threats 
and  activities  to  the  Law  of  Armed  Conflict."^^"^"^  Lawyers  and  military  officials  around  the  world 
have  presented  theories  on  how  the  Law  of  Armed  Conflict  applies  in  cyberspace;  coming  to 
international  consensus  on  this  topic  could  pave  the  way  for  future  agreements  on  cyberspace. 
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Conclusion 


At  present,  a  cyber  arms  treaty  is  infeasible.  By  evaluating  the  potential  for  success  using 
the  model  identified  above — tactical  and  strategic  implementation — it  appears  that  a  treaty  on 
cyber  weapons  would  be  likely  to  fail.  It  may  be  possible  to  achieve  partial  success  on  insight 
and  measurability,  but  the  other  factors  have  little  or  no  chance  of  success  under  the  current 
cyberspace  environment.  Other  forms  of  agreements  would  provide  a  more  tangible  benefit,  and 
could  pave  the  way  for  a  future  agreement  such  as  a  treaty.  In  particular,  one  possible  positive 
action  is  achieving  an  international  agreement  on  how  the  Law  of  Armed  Conflict  applies  to 
cyber  activities  and  targets. 

The  inherent  anarchic  nature  of  the  Internet  makes  it  difficult  to  regulate;  when  analyzed 
according  to  the  tactical  and  strategic  criteria,  it  is  clear  that  a  cyber  arms  treaty  would  not  be  an 
effective  measure  for  controlling  cyber  threats.  A  cyber  arms  treaty  could  not  serve  as  anything 
more  than  a  token  agreement — something  that  shows  a  willingness  to  cooperate  on  cyber  issues, 
without  agreeing  to  any  significant  change. 
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